Privacy Policy
Updated January 17, 2024
1. Introduction:
Bureau, Inc., BureauID India Private Limited and Junoon Tech Pte. Ltd. (either together or as applicable “Bureau”, “we”, “us”, or “our”) provide various offerings related to identity verification, compliance and fraud prevention solutions, including software, technology, analytics, or any other services made available by Bureau to its customers (“Customers”) (“Services”) via mobile or web applications, application programming interface (APIs), software development kits (SDKs), or any other access channels (“Platform”).
This Privacy Policy (“Policy”) explains how we collect, use, share, transfer, and protect personal data (“Personal Data”) across the jurisdictions and regions where we operate, including India, the United States of America, Singapore, the Philippines, Indonesia, MEAt, and the European Union/EEA.
This Policy applies to Personal Data we collect:
directly from individuals (such as applicants, customers, job applicants, or website visitors);
from our Customers who use our Services to process their end-users’ data; and
from third parties such as public sources, partners, and authorized data providers.
If you are an end-user of one of our Customers, your primary relationship is with that Customer. In those cases, Bureau acts as a Processor on behalf of that Customer (the controller). Where we determine the purpose and means of processing, Bureau is the Controller. For the purposes of this Policy, Controller / Processor is as defined under applicable data protection laws. Bureau may act as either depending on the engagement and the jurisdiction.
2. Scope and Applicability
This Policy applies to Personal Data we collect:
directly from individuals (such as applicants, customers, job applicants, or website visitors);
from our Customers who use our Services to process their end-users’ data; and
from third parties such as public sources, partners, and authorized data providers.
Bureau uses your information to deliver and improve its Services, particularly in verifying identity and preventing fraud. We analyze data to detect patterns of fraudulent activity and provide our customers with insights to help them meet operational and compliance requirements.
If you are an end-user of one of our Customers, your main relationship is with that Customer. In those cases, Bureau acts as a Processor on behalf of that Customer (the Controller). Where we determine the purpose and means of processing, Bureau is the Controller. In cases where Bureau operates as a Processor, while providing Personal Data directly to us is not mandatory, the absence of such information may restrict our ability to perform the Services on behalf of our Customers. For the purposes of this Privacy Policy, Controller / Processor as defined under applicable data protection laws. Bureau may act as either depending on the engagement and the jurisdiction.
3. Categories of Data We Collect
Identity and contact data
Examples: name, date of birth, address, email, phone
Government issued IDs
Examples: passport, national IDs, tax IDs, driver’s license
Biometrics
Examples: face images, liveness checks (only where permitted and with basis)
Payment and transaction Information
Examples: account details, payment instrument details (where permissible), billing address, credit attributes
Device and technical data
Examples: IP addresses, device id, browser sessions, cookies
Behavioural and usage data
Examples: logs, support tickets
Derived data:
Examples: fraud scores, compliance risk scores Where permitted by law, we may obtain additional information about you from third-party providers or partners. This may include consumer reporting agencies, fraud prevention services, data brokers, government databases, and marketing or analytics providers, and may be combined with the information we already hold about you.
4. How We Use Your Personal Data
We use the Personal Data we collect to:
Provide and improve our Services, including maintaining, updating, and enhancing features.
Communicate with you about service updates, account or subscription notices, and changes.
Enable your participation in the interactive features you choose to use.
Protect legitimate interests, such as fraud prevention, product improvement, or security.
Analyze and improve our Services by gathering insights to monitor usage and enhance performance.
Ensure security and reliability by detecting, preventing, and addressing fraud, abuse, or technical issues.
Fulfill obligations such as contracts, billing, and compliance requirements.
Share relevant updates like offers or news about similar services.
Support you by offering customer assistance and honouring your choices.
5. Legal Bases for Processing
We process personal and sensitive data on the following bases:
Consent: when you (or our Customers, as data Controllers) give explicit permission for specific processing.
Contractual Requirements: when needed to perform obligations under a contract with our Customers, partners, or API users.
Legal Obligations: when required by applicable laws or regulations (e.g., AML, fraud prevention, reporting).
Legitimate Interests: when improving Services, preventing fraud, or ensuring security, without overriding your rights.
6. How We Collect Data
Directly: from you when you use our Services, upload documents, or contact us.
From Customers: our Customers provide end-user data to perform verification and fraud risk checks.
From third parties: public sources, data providers, credit bureaus, and sanctions/PEP lists.
7. Sensitive Data and Biometrics
We process biometrics and other sensitive data only when required for the Service (e.g., eKYC), we have a lawful basis (consent or legal obligation), and strict safeguards are in place (encryption, access controls).
8. Sharing and Recipients
We may share Personal Data with:
Customers (Controllers of their users’ data);
Service providers (e.g., hosting, analytics, ID verification);
Regulators and authorities, if legally required;
Affiliates and acquirers, if part of a corporate transaction.
9. International Transfers
Bureau operates globally, with infrastructure in India, Singapore, and the US. Personal Data may be transferred across borders. For EU/EEA transfers, we rely on Standard Contractual Clauses (SCCs) or adequacy decisions. For other countries (India, Indonesia, Philippines, Singapore, US), we apply contractual and technical safeguards consistent with local laws. We may update our infrastructure location from time to time.
10. Data Subject Rights
Depending on your jurisdiction, you may have rights to:
access, correct, or delete Personal Data
restrict or object to processing
portability of your Personal Data
withdraw consent where consent was the basis
lodge a complaint with a regulator
additional measures, if applicable, as per local laws
When you exercise any of the above rights, we may require you to submit additional information or Personal Data to verify your identity. Requests to exercise the above rights may be made through our Data Protection Officer (DPO) or the grievance channel as set out in Section 15 of this Policy.
11. Data Retention
We retain Personal Data only as long as necessary for providing the Services, meeting regulatory requirements (e.g., KYC recordkeeping), or resolving disputes and enforcing agreements. When no longer required, data is securely deleted.
12. Security
We use organizational, technical, and physical safeguards, including encryption in transit and at rest, access control and multi-factor authentication, regular audits and penetration testing, and incident response planning. We regularly seek new ways to further enhance the security of our Services.
13. Cookies
We use cookies and similar technologies to improve your experience, secure our Services, and understand how they are used. Some cookies are essential for the operation of our Services, while others help us analyze trends, personalize content, and deliver relevant communications. You can manage or disable cookies in your browser settings, but certain features or Services may not work as intended if cookies are disabled.
14. Breach Notification
We will notify Customers, regulators, and (where required) affected individuals of data breaches as soon as we become aware in line with applicable laws (e.g., CERT-IN 6-hour rule, GDPR 72-hour rule).
15. Contact and DPO
To exercise your rights or raise a concern, contact: dpo@bureau.id
16. Children’s Privacy
Our Services are not directed to children under applicable age limits (13 – 16 years, depending on applicable laws). If you learn that your child has shared Personal Data with us without your consent, please contact us (see Section 15 of this Policy) so we can remove it promptly.
17. Changes
We may update this Policy to reflect changes in our Services, legal requirements, or business practices. Updates take effect once posted on our website, unless the law requires otherwise. By continuing to use our Services or accessing the Platform after an update, you accept the revised Policy. We encourage you to review it regularly. If any change significantly affects your rights, we will provide additional notice, such as by email or a clear notice on our website.
